Fraud & Security: How We Protect Your Information

Letter from Orrstown’s Chief Information Security Officer:

Protecting client information and privacy is of paramount importance for Orrstown and as such we’ve hired seasoned information security and privacy professionals who have implemented multiple layers of logical and physical controls. The following letter attempts to provide an overview of these layers.

Knowing where Sensitive Information Resides

In order to protect sensitive information, one must know what information is present, where it is stored and how it moves between business applications and/or users. Orrstown maintains accurate inventory of information stored in business applications and unstructured data stores. Each of these locations is risk classified using several attributes including the volume and confidentiality of the information. The risk classification focuses our security investments on the highest risk areas.

Giving the Right Access at the Right Time to the Right People

Limiting access to information remains one of the primary control mechanisms to protect information. Orrstown strives to give the right access to the right people at the right time. To that end the firm has made investments in solutions designed to provide strong authentication mechanisms to both internal and external users and ensure that any access is authorized.

Protecting Against External Threats

Security is most effective when implemented in layers. Although no single implementation or practice is impenetrable, many are layered together to create a strong weave of protection. Orrstown employs the latest in threat intelligence automation, firewalls, intrusion prevention, and anti-malware technologies to protect the bank against external threats. We have several security measures in place to ensure your online safety. All information entered and displayed on the Orrstown Online Banking site is protected by a strong encryption through Transport Layer Security (TLS). You will establish a unique user name and password and enter it each time you log on. Orrstown Bank recommends you establish a complex password containing a mix of numbers and characters. Your personal challenge and response questions will be prompted by the system if it sees pattern changes of online use, such as new internet service provider or a new bill payment payee.

Protecting Against Insider Threats

Orrstown recognizes that insiders can do as much damage to the safety and privacy of client information as the external threats whether accidental or malicious. To help protect against the malicious insider, Orrstown employs the principle of least privilege meaning that only what is absolutely necessary to accomplish a job role is granted to the user. Additionally, Orrstown invests in controls designed to ensure that sensitive information is not accidentally or purposely lost or stolen by insiders. Finally, because Orrstown knows that based on the nature of the roles at the bank, these controls will not prevent every incident. Therefore Orrstown implements multiple layers of detective controls in the form of behavior monitoring, reconciliation processes, etc.

Managing Vendors

Like many organizations, Orrstown relies on vendors to provide certain services. Orrstown has a robust vendor management program designed to ensure that our vendors treat our client information as securely as we would.

Educating Employees and Clients

Finally Orrstown understands that humans are always going to be the weakest link. As such, we continue to promote awareness about the responsibility of every employee to protect information, education on how best to protect sensitive information, information about current threats (including phishing schemes and scams), etc. Orrstown also publishes a quarterly client newsletter that includes information to our clients about how they can help to protect their own information.

Respectfully submitted,

Andrew Linn

Senior Vice President, Chief Information Security Officer

Orrstown Bank